低版本Android上TLS版本导致的诡异握手失败问题-进城务工人员小梅

接入某国外支付平台CashFree时，发现在低版本系统（小米红米1S青春版，Android4.3）上完全无法打开页面：

低版本Android上TLS协议问题导致的SSL握手失败1

详情提示SSL握手失败：

低版本Android上TLS协议问题导致的SSL握手失败2

在Logcat中可以看到大量报错：

低版本Android上TLS协议问题导致的SSL握手失败3

这些错误有几种：

E/chromium_net: external/chromium/net/socket/ssl_client_socket_openssl.cc:792: [0404/225443:ERROR:ssl_client_socket_openssl.cc(792)] handshake failed; returned -1, SSL error code 1, net_error -113
W/chromium_net: external/chromium/net/http/http_stream_factory_impl_job.cc:865: [0404/225443:WARNING:http_stream_factory_impl_job.cc(865)] Falling back to SSLv3 because host is TLS intolerant: browser.sentry-cdn.com:443
E/chromium_net: external/chromium/net/socket/ssl_client_socket_openssl.cc:792: [0404/225443:ERROR:ssl_client_socket_openssl.cc(792)] handshake failed; returned -1, SSL error code 1, net_error -107
E/chromium_net: external/chromium/net/socket/ssl_client_socket_openssl.cc:792: [0404/225446:ERROR:ssl_client_socket_openssl.cc(792)] handshake failed; returned 0, SSL error code 5, net_error -107
W/chromium_net: external/chromium/net/http/http_stream_factory_impl_job.cc:865: [0404/225446:WARNING:http_stream_factory_impl_job.cc(865)] Falling back to SSLv3 because host is TLS intolerant: www.cashfree.com:443
E/chromium_net: external/chromium/net/socket/ssl_client_socket_openssl.cc:792: [0404/225446:ERROR:ssl_client_socket_openssl.cc(792)] handshake failed; returned 0, SSL error code 5, net_error -107

E/chromium_net: external/chromium/net/socket/ssl_client_socket_openssl.cc:792: [0404/225443:ERROR:ssl_client_socket_openssl.cc(792)] handshake failed; returned -1, SSL error code 1, net_error -113

W/chromium_net: external/chromium/net/http/http_stream_factory_impl_job.cc:865: [0404/225443:WARNING:http_stream_factory_impl_job.cc(865)] Falling back to SSLv3 because host is TLS intolerant: browser.sentry-cdn.com:443

E/chromium_net: external/chromium/net/socket/ssl_client_socket_openssl.cc:792: [0404/225443:ERROR:ssl_client_socket_openssl.cc(792)] handshake failed; returned -1, SSL error code 1, net_error -107

E/chromium_net: external/chromium/net/socket/ssl_client_socket_openssl.cc:792: [0404/225446:ERROR:ssl_client_socket_openssl.cc(792)] handshake failed; returned 0, SSL error code 5, net_error -107

W/chromium_net: external/chromium/net/http/http_stream_factory_impl_job.cc:865: [0404/225446:WARNING:http_stream_factory_impl_job.cc(865)] Falling back to SSLv3 because host is TLS intolerant: www.cashfree.com:443

E/chromium_net: external/chromium/net/socket/ssl_client_socket_openssl.cc:792: [0404/225446:ERROR:ssl_client_socket_openssl.cc(792)] handshake failed; returned 0, SSL error code 5, net_error -107

经过基本的搜索后初步判断问题为服务器端仅支持Android不支持的特定SSL/TLS版本导致。我们使用https://www.ssllabs.com/ssltest来测试www.cashfree.com对SSL/TLS的支持情况：

测试服务器对SSL/TLS的支持情况

可见，服务器只支持TLS 1.2，因此无论是否降级为SSLv3与否都是无法进行握手的。Android在4.4.2之后才开始支持TLS 1.2：

User Agent SSL/TLS Capabilities

因此设置证书信任并不能解决这个问题（实际上都还没有走到证书信任的代码就已经失败了）。Android 4.3只支持TLS1.0和SSLv3：

而对于已经不安全的SSLv3而言，在参考文档3中提到：

It is(SSL 3.0) enabled by default for:

Android 1.0, 1.1, 1.5, 1.6, 2.0–2.1, 2.2–2.2.3

And:

Android 2.3–2.3.7, 3.0–3.2.6, 4.0–4.0.4

And:

Android 5.0-5.0.2

But, seems like, it is not enabled for:

Android 5.1-5.1.1

Android 6.0-6.0.1

参考文档：
1、https://www.ssllabs.com/ssltest/index.html
2、https://www.ssllabs.com/ssltest/clients.html，《User Agent Capabilities》，其中包含了各浏览器支持的TLS/SSL版本
3、https://stackoverflow.com/questions/35018510/android-4-3-webview-https-error-falling-back-to-sslv3-because-host-is-tls-int
4、https://stackoverflow.com/questions/28329652/enabling-specific-ssl-protocols-with-android-webviewclient，其中提到了利用OkHttpClient来处理ChromeWebClient的请求
5、https://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2

转载时请保留出处，违法转载追究到底：进城务工人员小梅 » 低版本Android上TLS版本导致的诡异握手失败问题

低版本Android上TLS版本导致的诡异握手失败问题

相关推荐

评论抢沙发

相关推荐

评论 抢沙发

评论抢沙发